KnowBe4 Battlecard

Use this when a prospect mentions KnowBe4 as an incumbent or shortlist option. The conversation almost always starts with "we already have security awareness training" — your job is to reframe what good looks like.

Their positioning

KnowBe4 sells compliance-driven security awareness training: large content library, phishing simulations, completion tracking. They are the market leader by volume and win on familiarity and procurement inertia.

Where they are weak

  • Vanity metrics — click rates and course completions don't correlate with actual risk reduction
  • Generic content — not tailored to role, department, or real threat signals hitting the org
  • No risk scoring — can't answer "who is our highest-risk employee and why?"
  • Compliance framing — designed to pass audits, not change behaviour
  • NIS2 gap — reporting doesn't map to NIS2 Article 21 requirements out of the box

Winning questions to ask

  1. "What metric do you use today to know the training is actually working?"
  2. "If your CISO had to present human risk to the board tomorrow, what would they show?"
  3. "Has your click rate gone down but incidents stayed flat? Why do you think that is?"

Objection handling

ObjectionResponse
"We already have KnowBe4" Great — so you have the compliance box ticked. What we do is different: we tell you which employees are your actual risk right now, based on live threat signals, and we train them on exactly that. Can I show you what that looks like for an org your size?
"KnowBe4 is cheaper" On licence cost, yes. But factor in the admin overhead to run campaigns, the cost of a breach caused by someone who completed all their modules, and the audit remediation when your board asks for risk evidence you can't produce. The TCO story flips quickly.
"Our employees are used to the KnowBe4 format" That's actually part of the problem — familiarity breeds inattention. Our adaptive format is short, contextual, and triggered by real events. Completion isn't the point; behaviour change is.
"We're locked in for 2 more years" Understood. Let's talk about what a parallel evaluation looks like — we can run a risk assessment on your org right now, no commitment, and give you the data you need to justify a change at renewal.

Proof points to use

  • Customers switching from KnowBe4 report 60% reduction in admin time within 90 days
  • Human Risk Score used by security teams to brief boards and satisfy NIS2 auditors
  • Average time-to-value: 2 weeks from contract to first risk report